Skip to content

ID4me feature of OpenID connect app available even when disabled

Moderate
nickvergessen published GHSA-vw7g-959g-vj6q Jun 14, 2024

Package

User OIDC (Nextcloud)

Affected versions

<= 1.3.6

Patched versions

3.0.0, 4.0.0, 5.0.0

Description

Impact

Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users.

Patches

It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28)

Workarounds

  • Disable app user_oidc

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-37312

Weaknesses

Credits